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Abstract 

Many decision procedures for SMT problems rely more or less implicitly on an instantiation of the 
axioms of the theories under consideration, and differ by making use of the additional properties of each 
theory, in order to increase efficiency. We present a new technique for devising complete instantiation 
schemes on SMT problems over a combination of linear arithmetic with another theory T. The method 
consists in first instantiating the arithmetic part of the formula, and then getting rid of the remaining 
variables in the problem by using an instantiation strategy which is complete for T. We provide examples 
evidencing that not only is this technique generic (in the sense that it applies to a wide range of theories) 
but it is also efficient, even compared to state-of-the-art instantiation schemes for specific theories. 

1 introduction 

Research in the domain of Satisfiability Modulo Theories focuses on the design of decision procedures capable 
of testing the satisfiability of ground formulas modulo a given background theory. Such satisfiability checks 
may arise as a subprobleni during the task of proving a more general formula in, e.g., software verification or 
interactive theorem proving. The background theories under consideration may define usual mathematical 
objects such as linear arithmetic, or data structures such as arrays or lists. The tools that implement these 
decision procedures are named SMT solvers, and they are designed to be as efficient as possible. This 
efficiency is obtained thanks to a sophisticated combination of state-of-the-art techniques derived from SAT 
solving, and ad- hoc procedures designed to handle each specific theory (see, e.g., [71 for a survey). 

The lack of genericity of these theory solvers may become an issue, as additional theories, either new 
ones or extensions of former ones, are defined. For instance, a programmer may wish to add new axioms 
to the usual theory of arrays to specify, e.g., dimensions, sortedness, or definition domains. A solution to 
this lack of genericity was investigated in [U |^, where a first-order theorem prover is used to solve SMT 
problems. Once it is proved that the theorem prover terminates on SMT problems for a given theory, it can 
be used as an SMT solver for that theory, and no additional implementation is required. Also, under certain 
conditions such as variable-inactivity (see, e.g., [31 H]), the theorem prover can also be used as an SMT prover 
for a combination of theories at no further expense. However, first-order theorem provers are not capable 
of efficiently handling the potentially large boolean structures of SMT problems. A solution to this problem 
was proposed in [S], with an approach consisting of decomposing an SMT problem in such a way that the 
theorem prover does not need to handle its boolean part. But even with this approach, theorem provers do 
not seem capable to compete with state-of-the-art SMT solvers. 

A new approach to handling the genericity issue consists in devising a general instantiation scheme 
for SMT problems. The principle of this approach is to instantiate the axioms of the theories so that 
it is only necessary to feed a ground formula to the SMT solver. The problem is then to find a way to 
instantiate the axioms as little as possible so that the size of the resulting formula does not blow up, and 
still retain completeness: the instantiated set of clauses must be satisfiable if and only if the original set is. 
Such an approach was investigated in and an instantiation scheme was devised along with a syntactic 
characterization of theories for which it is refutationally complete. One theory that cannot be handled by 
this approach is the theory of linear arithmetic^ which is infinitely axiomatized. Yet, this theory frequently 
appears in SMT problems, such as the problems on arrays with integer indices. Handling linear arithmetic 
is also a challenge in first-order theorem proving, and several systems have been designed to handle the 
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arithmetic parts of the formulas in an efficient way (see, e.g., [TS] or the calculus of , which derives from 

In this paper, we devise an instantiation scheme for theories containing particular integer constraints. This 
scheme, together with that of [11], permits to test the satisfiability of an SMT problem over a combination of 
linear arithmetic with another theory, by feeding a ground formula to an SMT solver. We show the potential 
efficiency of this scheme by applying it to problems in the theory of arrays with integer indices, and we 
show that it can generate sets of ground formulas that are much smaller than the ones generated by the 
instantiation rule of 10' . To emphasize the genericity of our approach, we also use it to integrate arithmetic 
constraints into a dccidable subclass of many-sorted logic. 

The paper is organized as follows. After recalling basic definitions from automated theorem proving, we 
introduce the notion of Z-clauses, which are a restriction of the abstracted clauses of along with the 

inference system introduced in [2^. We define a way of instantiating integer variables in particular formulas, 
and show how to determine a set of terms large enough to ensure completeness of the instantiation technique 
on an SMT problem. We then prove that under some conditions which are fulfilled by the scheme of [Tl], 
completeness is retained after using the scheme to instantiate the remaining variables in the SMT problems. 
We conclude by showing how this combined scheme can be applied on concrete problems. 

2 Preliminaries 

We employ a many-sorted framework. Let S denote a set of sorts, containing in particular a symbol Z 
denoting integers. Every variable is mapped to a unique sort in S and every function symbol / is mapped 
to a unique profile of the form si x . . . x s„ — > s, where si,...,s„,s S S (possibly with n = 0); the sort s 
is the range of the function /. Terms are built with the usual conditions of well-sortedness. The signature 
contains in particular the symbols 0, — , -f of respective profiles Z, Z Z, Z x Z — >■ Z. The terms s'(0), 
t-l-s(O), i-|-(— s(0)) and t-\-{—s) are abbreviated by z,s(t),p(i) and t — s respectively. Terms (resp. variables) 
of sort Z are called integer terms (resp. integer variables) . A term is ground if it contains no variable. We 
assume that there exists at least one ground term of each sort and that for every function symbol of profile 
si x . . . X s„ ^ Z, we have = Z for all i G [l..n]: integer terms may only have integer subterms. In other 
words, a noninteger term may depend on an integer term, but integer terms depend only on integer terms. 
This condition imposes some sort of hierarchical stratification between the theory of linear arithmetic and 
the other theory in which the problem is solved. As we shall see, this stratification plays a crucial role in our 
approach. 

An atom is either of the form t < s where i, s are two terms of sort Z, or of the form i ~ s where i, s are 
terms of the same sort. An atorr0 i ixi s is arithmetic if t, s are of sort Z. A clause is an expression of the form 
r — A, where F, A are sequences of non-arithmetic atoms. A substitution cr is a function mapping every 
variable x to a term xa of the same sort. Substitution a is ground if for every variable x in the domain of cr, 
xa is ground. For any expression £ (term, atom, sequence of atoms or clause), V{£) is the set of variables 
occurring in £ and £a denotes the expression obtained by replacing in £ every variable x in the domain of 
a by the term xa. Interpretations are defined as usual. A Z-interpretation I is an interpretation such that 
the domain of sort Z is the set of integers, and that the interpretation of the symbols 0, — , -I- is defined as 
follows: /(O) = 0, 1{t + s) = I{t) + I{s) and /(— t) = -^I{t)- A ground atom A is satisfied by an interpretation 
/ if either A is of the form t ^ s and I{t) < I{s) or A is of the form t ~ s and I{t) = /(s). A clause F A 
is satisfied by an interpretation I if for every ground substitution a, either there exists an atom A £ Ta that 
is not satisfied by /, or there exists an atom A G Act that is satisfied by /. A set of clauses S is satisfied 
by / if / satisfies every clause in S. As usual, we write / ^ S* if S' is satisfied by / and 5*1 \= S2 if every 
interpretation that satisfies Si also satisfies iS'2. Si and S2 are equivalent if |= ^2 and S2 \= Si. We note 
I \=z S" if / is a Z-interpretation that satisfies S] Si |=z S2 if every Z-interpretation satisfying Si also satisfies 
S2, and 5*1, S2 are 'L-equivalent if Si \=i S2 and S2 \=z Si. 

We assume the standard notions of positions in terms, atoms and clauses. As usual, given two terms t and 
s, t\p is the subterm occurring at position pint and t[s]p denotes the term obtained from t by replacing the 
subterm at position p by s. Given an expression £ (term, atom, clause...), a position p is a variable position 
in £ if £\p is a variable. 

The flattening operation on a set of clauses S consists in replacing non constant ground terms t occurring 
in S by fresh constants c, and adding to S the unit clause t ~ c. We refer the reader to, e.g., [4] for more 

-"^The symbol txi represents either ~ or ^. 



2 



details. 

3 Z-clauses 

We introduce the class of Z-clauses. These are restricted versions of the abstracted clauses of [6j[2], as we 
impose that the arithmetic constraints be represented by atoms, and not literals. We add this restriction for 
the sake of readability; in fact it incurs no loss of generality: for example, a literal -i(a ^ 6) can be replaced 
by the Z-equivalent arithmetic atom b ^ p(a). We present some terminology from 52], adapted to our setting. 

Definition 1 A Z-clause is an expression of the form A || F A, where: 

• A is a sequence of arithmetic atoms (the arithmetic part of A || F A); 

• F — > A is a clause such that every integer term occurring in F or in A is a variabl^. {) 

The property that in a Z-clause A || F A, every integer term occurring in F or in A is a variable is 
simple to ensure. If this is not the case, i.e., if F, A contain an integer term t that is not a variable, then 
it suffices to replace every occurrence of t with a fresh integer variable u, and add the equation u ~ t to A. 
This way every set of clauses can be transformed into an equivalent set of Z-clauses. 

The notions of position, replacement, etc. extend straightforwardly to sequences of atoms and Z-clauses, 
taking them as terms with 3 arguments. The notion of satisfiability is extended to Z-clauses as follows: 

Definition 2 A substitution cr is a solution of a sequence of arithmetic atoms A in an interpretation / if cr 
maps the variables occurring in A to integers such that / \= Act. A Z-clause A || F A is satisfied by an 
interpretation / if for every solution ct of A, the clause (F — > A)ct is satisfied by /. 

Note that, although the signature may contain uninterpreted symbols of sort Z (e.g. constant symbols 
that must be interpreted as integers), it is sufficient to instantiate the integer variables by integers only. 

Definition 3 Given a Z-clause C = A || F — > A, an abstraction atom in C is an atom of the form x ~ i which 
occurs in A. x ~ t is grounding if t is ground. C is 1-closed if all its integer variables occur in grounding 
abstraction atoms and closed if it is Z-closed and every variable occurring in C is of sort Z. 

Intuitively, if C is Z-closed, this means that C would not contain any integer variable, had integer terms 
not been abstracted out. Abstraction atoms can be viewed as instantiations, as expressed by the following 
proposition: 

Proposition 4 Given a formula (j) such that ^(0) = {xi, . . . ,Xn} and a sequence of abstraction atoms 
A — {xi ti \ i — I, . . . ,n} , the sets 

3xi ■ ■ ■ 3xn - {4> ^ ^) f^i^d 
(j){xi ^ ti\i = I,. . . ,n} 

are equivalent. 

Proposition 5 Let C = A j] F — ^ A, and assume A contains an abstraction atom x ~ s. Given p, a position 
of X m F — A, let C' = C[s]p, and let C" = C{x s}. Then C, C' and C" are equivalent. 

Example 6 Let 

Ci = X ~ a,x ~b\\ ^ f{x) ~ c,g{x) c:i c' , 

Ci = a; c± a,^ ~ 6 II ^- /(x) ~ c,5(6) ~ c', 

C-i = a ~ a, a ~ 5|| ^ /(a) ~ c,5r(a) ~ c, 

C4 = a ~ a, a ~ 6 II —5- f(a) ~ c, g{h) ~ c'. 

Ci is obtained from G\ by replacing the occurrence of x in g{x)^ i.e. the subterm at position 3.2.1.1 in Ci, 
by constant 6, C3 is obtained by instantiating G\ with the substitution ct — {x a} and C4 is obtained by 
instantiating C2 with ct. All these clauses are equivalent. ^ 

We define an operation permitting to add arithmetic atoms to a Z-clause: 

Definition 7 Consider a Z-clause C = A || F — ^ A and a set of arithmetic atoms A'. We denote by [A', C] 
the Z-clause A', A || F A. 

^Recall that by definition a clause cannot contain arithmetic atoms. 
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An inference system for Z-clauses. 

We denote by l-L the inference system of T on abstracted clauses, depicted in Figure [TJ Reduction rules are 
also defined in [2]; the only one that is useful in our context is the tautology deletion rule also depicted in 
Figure [TJ We make the additional (and natural) assumption that the ordering is such that all constants are 



superposition lert : - 



(Ai,A2 II s[r] ~t,ri,r2-^ Ai,A2)cr 
where o is an mgu of I and I' , la -jk, ra, sa 7^ ta, I' is not a variable, {I ~ r)a is strictly maximal in 
(Fi — >■ Ai, I ~ r)a and {s[l'] ~ t)a is strictly maximal in (s[/'] ~ t, r2 — i- A2)cr. 

„ ... . , , AillFi ^ Ai,;-r A2\\r2 ^ A2, s[l']~t 
superposition right : V: -. — n-= — = , , r-^ v-' 

^ ^ ^ (Ai,A2 II Fi, F2 ->Ai,A2, s[r] ~i)o- 

where a is an mgu of I and la 7^ ra, sa 7^ ta, I' is not a variable, (Z ~ r)a is strictly maximal in 
(Fi Ai, / ~ r)a and {s[l'] ~ t)a is strictly maximal in F2 — >■ A2, is[l'] — i)a. 

Equality factoring : , ■ „ — ——, — . ,, ^ — 

(A||i,r~r i\,L ~ r )a 

where a is an mgu of Z and la 7^ ra, I' a 7^ r'a and {I ~ r)a is maximal in (Fi — > Ai, / ~ r, Z' ~ r')a. 

Ordered factoring : ^f" ^Ij, 

^ {A\\r ^ A,Ei)a 

where a is an mgu of Ei and E2, and Eia is maximal in (F — >■ A, Ei, E2)a. 

, ^. A||F,s~t^A 
Equality resolution : ' . ,, ^ r-^ 

^ ■' (A||F-i>A)cr 

where a is an mgu of s and t, and (s ~ t)a is maximal in (F, s ~ t — > A)a. 

... f . II ^ •■• A„ II ^ 
Constraint refutation : g 

where Ai || — >■ A • ■ • A A„ |1 — !> is inconsistent in Z. 

As usual the system is parameterized by an ordering among terms, extended into an ordering on atoms 
and clauses (see [5] for details). The rules are applied modulo the AC properties of the sequences and the 
commutativity of ~. 

A||F^ A 
Tautology deletion : , 

if F A is a tautology, or the existential closure of A is Z-unsatisfiable. 



Figure 1: The inference system % 

smaller than all non-flat terms. In order to obtain a rcfutational completeness result on this calculus, the 
authors of [6j [2] impose the condition of sufficient completeness on sets of clauses. Without this condition, 
we have the following result, stating a weaker version of refutational completeness for the calculus. 

Theorem 8 Let S denote a "Z-unsatisfiable set of Z-clauses. Then there exists a Z-unsatisfiable set of clauses 
{Ai II \ i € N} such that for every i € N, Ai\\ can be deduced from S by applying the rules in Ti. 

Proof. (Sketch) Let / be an interpretation of the integer symbols in S, and let {ai)i^i be a family of 
constant symbols of a new sort Z'. We denote by S' the set of clauses of the form CcrJ,/ where: 

• A\\C <^S. 

• cr is a substitution mapping every integer variable in C to a ground integer term s'^'(O) or — s'^'(O) such 
that / ^ Act. 

• Ca\ri is obtained from Ca by replacing every ground integer term t by a/(j). 

It is clear that S' is a set of clauses (Z is replaced by U in the profile of the function symbols) , that contains 
no integer term. Furthermore, S' is unsatisfiable: if S' admits a model J, then a model K oi S can be 
constructed by extending the interpretation / as follows: for every function / of profile si x . . . x s„ — s 
where s 7^ Z, f^{di,...,dn) — f'^{d[,...,d'„) where d'^ — di if s.^ ^ Z and d[ ~ J{adi) if = Z. It is 
straightforward to check that A' |= 5 if J |= S". 
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By the refutational completeness of the superposition calculus (on clauses not containing integer terms), 
5' admits a refutation. Note that by definition, no superposition within terms of sort U can occur in S' . 
Thus by the usual lifting argument, this derivation can be transformed into a derivation from S: it suffices 
to replace in the clauses Ca each constant ai by the corresponding integer variable in C and to attach the 
original arithmetic constraint A to the clause. This derivation yields a clause of the form A || — > where 
/ 1= 3a;. A (if x denotes the vector of variables in A). By repeating this for every possible interpretation, we 
obtain a set of clauses satisfying the desired property. The conjunction of these clauses is unsatisfiable since 
every arithmetic interpretation falsifies at least one clause. ■ 

Note that this does not imply refutational completeness, since the set {Ai || i G N} may be infinite 
(if this set is finite then the Constraint refutation rule applies and generates □). For instance, the set of 
Z-clauses = {a; ~ a ||p(a;) x ~ s{y) ||p(a;) p{y), p(0), a < || — S-} is clearly unsatisfiable, and the 
calculus generates an infinite number of clauses of the form s''(0) — a || for k € N. It is actually simple 
to see that there is no refutationally complete calculus for sets of Z-clauses, since we explicitly assume that 
Z is interpreted as the set of integers. In our case however there are additional conditions on the arithmetic 
constraints that ensure that only a finite set of Z-clauses of the form A || -4 will be generated. Thus, for 
the Z-clauses we consider, refutational completeness of the calculus will hold, and it will always generate the 
empty clause starting from an unsatisfiable set of Z-clauses. However, we do not intend to use this result to 
test the satisfiability of the formulas. The reason is that - as explained in the introduction ~ the superposition 
calculus is not well adapted to handle efficiently very large propositional formulas. In this paper, we use the 
inference system 'H only as a theoretical tool to show the existence of an instantiation scheme. To this aim 
we need the following property (see [6| , Lemma 8 for details) : 

Proposition 9 If a is an mgu occurring in a H-inference, then a maps integer variables to integer variables. 
4 Instantiation of inequality formulas 

Given an SMT problem over a combination of a given theory with the theory of linear arithmetic, the inference 
system of [2] permits to separate the reasoning on the theory itself from the reasoning on the arithmetic part 
of the formula. If the input set of clauses is unsatisfiable, then the inference system will generate a set of 
clauses of the form {Ai || A„ || -^-j . . .}, which is inconsistent in Z. In this section, we investigate how 

to safely instantiate the A^'s, under some condition on the atoms they contain. We shall impose that each 
Aj be equivalent to a formula of the following form: 

Definition 10 An inequality formula is of the form ip : Ai!li ^ where for all i = 1, . . . , m, Si and ti 
are ground terms or variables. 

If y4 is a set of terms, we use the notation A < x (resp. x ^ A) &s a, shorthand for AsgA s < x (resp. 
/\s^A^ ^ s). We denote by C/^ the set f/^ = {ye V{(j)) \ x ^ y occurs in (/)}. We may thus rewrite the 
formula (j) as 

0: f\ {At<xAx<BtA l\ x<y)M^: 

x£ V((l>) yi^Ut 

where the sets and Bf are ground for all x, and only contains inequalities between ground terms. 

Definition 11 For all x e V(0), we consider the sets B^, defined as the smallest sets satisfying the following 
property: 

Bt 2 Bt U y B:^U{x}, 

where x is a special constant that does not occur in 0. 

Note that the -B|"s are never empty. 

Example 12 Consider the formula (j): 

ai ^ X A X ^ bi A X <y A x ^ z 
0-2 diy A y ^ &2 A y dibz A 03 ^ 2:. 

Then Bt = {61, 62, ^3, x}, = {b2M,x}, and Bf = {x}- * 
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Proposition 13 For every inequality formula (p, every variable x occurring in (f> and for every term t £ B^, 
either t — x or (j) x ^ t. 

Proof. Let Cx be the set of terms t such that either i = x or \=z x ^ t. By definition, Cx contains 
and X- Furthermore, if y G then x < y occurs in thus (f) \^ x < y hence (f) \= x ^ t, for every t £ Cy 
distinct from x (by transitivity of < in Z). Thus Cx 3 Uyet/* ^^"^ finally Cx ^ B^U Uyga"* ^ 
definition the B^'s are the smallest sets satisfying the previous property, thus Vx G V{(f>), C^ 3 B^ and the 
proof is completed. ■ 

Theorem 14 Given an inequality formula (p such that V{(j)) — {a;i, . . . ,a;„} consider the two following for- 
mulas: 

[3xi---3x„.0] (a) 
(V^ies*, • • • ^s^eSt ^ s,\i = l,...,n}j (13) 

Let I denote a Z-interpretation of (a) and G denote a ground set containing all ground terms occurring in 
(f>. Then I (a) if and only if, for any extension J of I to the constant x, J {AteG^ix ^ ^)) =^ (Z^)- 

Proof. First suppose all extensions of / to x satisfy {(3), and let J denote an extension of / such that for 
all t G G, J{x) > J{t)- Then by construction of (/3), there exists a substitution a = {xi -(^ Si \ i = 1 . . . ,n}, 
where for alH = 1, . . . , n, e B^., such that J \=z (jxj. It is clear that / (p^ since x does not occur in 4>. 

Conversely, assume that / (a)- Let J be an extension of / such that Vt G G, J(x) > J{t). Let a be 
the substitution of domain {xi, . . . such that for all i G [l.-fi], cr{xi) = min^^g^, {I{t)). We prove that 
J h (t>a. 

I ^ 3x1 ■ • ■ ^Xn-4>, thus there exists a substitution 9 mapping each variable Xi {1 < i < n) to an integer 
such that / 1= (fid. For every atom t ^ s occurring in </>, we have I ^ {t ^ s)9. We prove that J \= {t ^ s)a 
by investigating the different cases: 

• If i, s are two ground terms in 0, then since x does not occur in </>, we have I{t) — J{t) and I{s) = J(s) 
thus I \= {t ^ s) ^ J ^ {t ^ s) ^ {t di s)a. 

• If i is a variable Xi (for some i G [l.-f^]) and s is a ground term, then by definition s G B^, C B^,, thus 
by definition of tr, we have Xia < /(s) = Jis). Hence J \= (t ^ s)a. 

• If s is a variable Xi (for some i G [I-.'t.]) and i is a ground term, then by Proposition ll31 since Xia G I{Bi^. ) 
we must have either (p ^ Xi < XiU or x^ct = -^(x)- If — ^ix) then since t is in G, we have 
J \=i, {t ^ Xia) by definition of J. Otherwise, by definition \=z t ^ Xi, thus t ^ Xicr, by 
transitivity of < in Z. Hence I {t Xi)a, i.e. J {t < Xi)a. 

• Finally, assume that both t and s are variables Xi,Xj respectively, where i,j G [l..n]. Since Xi d Xj 
occurs in </> we have Bl^. 3 Bl^-- Thus min/(i?|'. ) < min/(i?|'^), hence x^ct < Xjcr i.e. J \= [t d s)(j. ■ 

In our case, the sets B'^, will not be known, since the clauses in which (f> occurs will not be generated 
explicitly (see Section [5] for details). Thus we need to use an over-approximation of these sets: 

Definition 15 A set of ground terms B is an upper hound of an inequality formula (j) if for all atoms x d t 
occurring in (/), t is an element of B. The set B is an upper bound of a set of inequality formulas if it is an 
upper bound of each formula. 

Proposition 16 Let (f) denote an inequality formula. If B is an upper bound of (f> then for every variable x 
m 0, B\j{x}^Bt. 

It is clear that if B is an upper bound of an inequality formula, then Theorem [TJ] still holds when the 
variables in </) are instantiated by all the elements in i? ttl {x} instead of just those in the B^'s. 

Definition 17 Given an inequality formula such that V{4)) = {xi, . . . , Xm} and a set of ground terms i?, 
a B -definition of (f> is a set (i.e. a conjunction) of grounding abstraction atoms {xi ~ | i = 1, . . . , m}, such 
that every Si is in _B. We denote by 6b['/)] the set of all i?-definitions of cj). 
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Intuitively, a _B-dcfinition of a formula represents a grounding instantiation of this formula. 
Example 18 Let 4> ^ x ^ f [a) /\h < x /\ y < a, and assume B = {a, c}. Then Qb[4>\ contains four sets: 

• {x ~ a, y ~ a}, which corresponds to substitution {x <— a, y <— a}, 

• {x ~ a, y ~ c}, which corresponds to substitution {x <— a, y <— c}, 

• {x ~ c, y ~ a}, which corresponds to substitution {x <— c, y a}, 

• {x ~ c, y ~ c}, which corresponds to substitution {x ^ c, y ^ c}. J|k 
We rephrase a direct consequence of Theorem 1141 using i?-definitions; 

Corollary 19 Let {0i, . . . , </>„} denote a set of inequality formulas over the disjoint sets of variables 
{xi^i, . . . , Xi^rni \i — 1 ■ ■ ■ 1 let B denote an upper bound of this set, and assume that VILi 3xi^i • • • 3xi_m. . 4>i 
is valid in Z. If Gcontains all ground terms occurring in the inequality formulas and B' ~ B ^ {x}; then 

A-(x^O^Vf V 3x,,i---3x,,„,.0, AAM (7), 
t&G i=\ \A;eeB/[0,] / 

is also valid in Z. 

Proof. Let / denote a Z-interpretation that interprets all the symbols in S W {x}', by hypothesis, / must 
satisfy the formula V"=i 3xi_i • • • 3xi_rni4>i in ^- Since for all i = 1, . . . , n and for all terms s^^i, . . . , Si^m, the 
formulas 

4>i{xt,j <- Sj J I j = 1, . . . , mj and 

are equivalent by Proposition |4l we deduce by Theorem [Ml that / is also a model of (7), hence the result. ■ 

It is important to note that results similar to those of this section could have been proved by considering 
the terms occurring in atoms of the form t < x, instead of those of the form x < t, and considering lower 
bounds instead of upper bounds. This should allow to choose, depending on the problem and which sets are 
smaller, whether to instantiate variables using lower bounds or upper bounds. 

5 Properties of inferences on Z-clauses 

Corollary [19] shows how to safely get rid of integer variables in a set of inequality formulas, provided an upper 
bound of this set is known. The goal of this section is first to show that given an initial set of Z-clauses S, 
such an upper bound can be determined, regardless of the inequality formulas that can be generated from 
S. Then we show that by instantiating the integer variables in S, it is still possible to generate all necessary 
instances of the inequality formulas. Thus, S and the corresponding instantiated set will be equisatisfiable. 

We shall use Proposition [9] to describe several properties on Z-clauses that are preserved by inferences. 
We first define a generalization of the notion of an upper bound of an inequality formula (see Definition [15]), 
to the case of Z-clauses. 

Definition 20 Given a Z-clause C = A || P — > A and a set of ground terms i?, we write C < B li for all 
atoms X ^ t G A, 

• A contains (not necessarily distinct) grounding abstraction atoms of the form Xi Si, i = 1, . . . , n; 

• there exist variable positions {pi,...,p„} such that variable Xi occurs at position pi, and 

t[si]p^ . . . [s„]p„ e B. 

Example 21 Let C — x ^ a,y ^ b,y c, z ^ fidi^, y), y) || -> h{x, y, z) d and B = {f{g{a, c), b)}. Then 

Intuitively, for a Z-clause C = A || P — >■ A, the set B is an upper bound of the inequality atoms in A 
provided for all atoms x ^ t, the variables in t are replaced by the correct terms. This property is preserved 
by inferences: 
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Lemma 22 Let D,D' denote (not necessarily distinct) "L-clauses, that generate a "L-clause C, and let B 
denote a set of ground terms. If D < B and D' < B , then C ^ B. 

Proof. Let D = Ai || Ti Ai and D' = A2 || T2 A2. Then C is of the form (Ai, A2 |1 T A)cr, where 
a maps integer variables to integer variables by Proposition [S] Let x ^ t denote an atom in (Ai, A2)cr, then 
one of Ai, A2, say Ai, contains an atom y ^ t', such that (y ^ t')(j — x ^ t. Since D < B, hy hypothesis, 
Ai contains grounding abstraction atoms of the form Xi ~ Si and there exists variable positions {pi, . . . ,p„} 
such that i'[si]pi ■ • • [^n]p„ S B- It is clear that for all i, {xi ~ Si)a is a grounding abstraction atom in Aicr, 
thus i[si]pi • ■ • [S"]p„ = t'[si]pi ■ ■ ■ [sn]p„ & B. m 

In order not to unnecessarily instantiate some of the integer variables in a Z-clause, we distinguish those 
that appear in abstraction atoms from those that appear in inequality atoms. It will only be necessary to 
instantiate the latter variables. 

Definition 23 Let C = A || F — > A; the set of abstraction variables in C Vabs(C') and the set of inequality 
variables in C yincq(C') are defined as follows: 

Vabs(C) — {x ^ I A contains an abstraction atom 2; ~ 

and 

Vincq{C) = {x e V{C) I A contains a atom of the form x ^ t 01 t ^ x}. () 

We may assume without loss of generality that all integer variables in a Z-clause C are in Vabs(C) U Vinoq(C)- 
If this is not the case, it suffices to add to the arithmetic part of C the atom x ^ x. 

We define the notion of a preconstrained Z-clause. If a preconstrained Z-clause is of the form A || then 
A will be equivalent to an inequality formula, and this property is preserved by inferences. 

Definition 24 A Z-clause C A || F — > A is preconstrained if every atom in A that is not a grounding 
abstraction atom either has all its variables in Vabs(C')j or is of the form x ^ t or t ^ x, where t is either a 
variable itself, or has all its variables in Vabs(C'). 

Example 25 x ~ a,y ~ b,f{x,y) ~ giy),z ^ g{x) \\ — ?> h{x,y,z) ~ e is preconstrained but x a,y < 
g{y) II — >■ h(x,y, z) ~ e is not because y does not occur in a grounding abstraction atom. 1ft 

Lemma 26 Let D,D' denote (not necessarily distinct) Ij-clauses that generate a "L-clause C. If D and D' 
are preconstrained, then so is C . 

Proof. This is a direct consequence of Proposition [HI since integer variables are mapped to integer variables 
by mgu cr, and it is simple to verify that yabs(C) = (^abs(-D) U Vabsl-D'))^. ■ 

Definition 27 Given a Z-clause C = A || F ^ A, we denote by Tabs(C) the set 

A||F^A = {t|x~iisa grounding abstraction atom in A}. 

Given a set of Z-clauses S*, we denote by Tabs (5*) the set Ucgs Tabs(C)- 

Lemma 28 If C is generated from a set of clauses S, then TabsCC") Q Tabs(5'). 

Proof. This is a direct consequence of Proposition [HI ■ 

We extend the notion of a i?-definition to Z-clauses. Intuitively, a ^-definition of such a Z-clause represents 
a ground instantiation of the inequality variables it contains. 

Definition 29 Given a Z-clause C such that V^incq(C) = {a^i, • ■ • , Xm} and a set of ground terms B, a B- 
definition of C is a set of grounding abstraction atoms {xi ~ Si\ i = 1, . . . , m}, such that every Si is in B. 
We denote by &b[C] the set of all i?-definitions of C. Given a set of Z-clauses 5", we denote by Sb the set 
Sb = {[A', C]\C e S aA' eOBiC]}. 
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If a Z-clause C is generated from a set of Z-clauses S, the following lemma shows that by carefully 
instantiating the inequality variables occurring in S, we obtain a set of Z-clauses that generates the required 
instances of C. 

Lemma 30 Consider a set ofZ-clauses S and a set of terms B such that Tabs!-?) '!= B . //C = A || F — > A 
is generated from S and A' e 0b[C], then C = [A',C] can be generated from Sb- 

Proof. By induction on the length of the derivation. Assume C is generated by a superposition from 
Di = Ai II Fi — > Ai into D2 — A2 || F2 A2; the other cases are identical. Then C is of the form 
(Ai; A2 II F A)^, and a maps the variables in A = Ai U A2 to variables. For i = 1,2, let 

A^ = ~ i I 2: G Vinoq(^j) and xa ~ t is an abstraction atom in (A U A')cr}, 

Then C" is generated by D[ = [A[,Di] and D'^ = [A^, D2]. 

By LemmaHi Tabs(C) C Tabs(S'), hence Tabs(C") C B. Thus, for i = 1, 2, A^ e OslA]; by the induction 
hypothesis, D[ and D2 are generated by Sb, therefore, so is C". ■ 

Example 31 Consider the Z-clauses Di = x ^ i \\ select(a,a;) ~ e and D2 — y d: b\\ select(a,y) ~ 
e', and let B = {i}. These Z-clauses generate C = a; ~ i, a; ^ 6 || — > e ~ e', which is also generated by Di 
and [y ~ i, D2]. 4 

The following relation permits to keep track of the ground integer terms that may occur in a derivation: 

Definition 32 Given a Z-clause C = A || F — J> A and a set of ground terms G, we write C B if for all 
nonvariable terms t in A, 

• A contains (not necessarily distinct) grounding abstraction atoms of the form Xi ~ Si, i = 1, . . . ,n; 

• there exist variable positions {pi,...,pn} such that variable Xi occurs at position pi, and 
<[si]pi . . . [s„]p„ G G. 

We prove a stability result on the set of ground integer terms that may occur in a derivation: 

Proposition 33 Let D,D' denote (not necessarily distinct) Z-clauses, that generate a Ij-clause C, and let 
G denote a set of ground terms. If D G and D' \—i G, then C G. 

We may now state a result which links the constraint refutation rule of the inference system with 
Corollary [191 and suggests a way of safely instantiating inequality variables in a set of Z-clauses. 

Lemma 34 Let B denote a set of ground terms, and let S = {Ci, . . . ,C„} denote a set of Z-clauses such 
that for all i — 1, . . . ,n, Ci — Ai\\ — > is a preconstrained Z-clause such that Ci^B. Civen a constant symbol 
X that does not occur in S , let B' = B U {x}- If G ^ B is a ground set such that for all , Ci G, then S 
is satisfiable in Z if and only if 



\J{[K,c.]\KeeB'mi>[j{xdt\\ ^} 



i=l teG 

is satisfiable in Z. 

Proof. For i = 1, . . . , n, let {xi^i, . . . , Xi^mi} denote the set of variables occurring in Ai. Since {Ci, . . . , C„} 
is unsatisfiable in Z, the formula Vr=i ^a^i.i ■ ■ ■ 3xi,m;Ai must be valid in Z. Since every d is preconstrained 
and such that Ci ^ B, every Ai is equivalent to an inequality formula of the form 



0» = d s'j A /\ s'fe ^ Xfc A V', 



over the set of variables {xi^i, . . . ,Xi^rni}, and (f)i is upper bounded by B. 
By Corollary [T9l the formula 

/\ ^{X di t) ^ y I y 3x,^i ■ ■ ■ 3x,,™. . A A,^ 
teG i=i \AjeeB/[0i] 
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is valid in Z if and only if the formula 



y y (3a;i,i---3x,,„,.A, A A^) 



is valid in Z, hence the result. 



We therefore obtain the main result of this section: 

Theorem 35 Suppose S is a set o J 1- clauses and B is a set of ground terms such that for every "L-clause 
of the form C = A || — )> generated from S: 

• C is preconstrained, 



Let B' ~ B U {x}, where x does not occur in S , and let G ^ B denote a set of ground terms such that for 
all C £ S, C G. Then S is Z-satisfiable if and only if Sb' U UtGci^ ^ ^ II "L-satisfiable. 

Proof. If S is unsatisfiable, then by Theorem |51 it generates an unsatisfiable set of Z-clauses {Ci \ i G N}, 
and each Ci is of the form A^ || — The number of such Z-clauses S can generate is finite, since only a finite 
number of terms can appear in the arithmetic part of each Z-clause, hence the constraint refutation rule 
can be apphed to generate the empty Z-clause. By Lemma [34l Sb' U UtGcix — ^ II ^} unsatisfiable. 
Now assume S is satisfiable, then since x does not occur in S, it is clear that S U Uteci^ ^ ^ II is also 
satisfiable, hence, so is the instantiated set Sb' U Utecix ^ t II ~^}- ■ 

In particular, since we may assume all the integer variables occurring in S are in a Vabs(C')U Vincq(C) for some 
C & S, every Z-clause occurring in Sb' can be reduced to a Z-clause that is Z-closed, and Sb' U UtGcix ^ 
t II can be reduced to a set of clauses containing no integer variable. Hence, Theorem 1351 provides a way 
of getting rid of all integer variables in a formula. 

The instantiated set Sb' U Uteci^ ^ ^ II can further be reduced: since x is strictly greater than any 
ground term t occurring in S or in B, every atom of the form x ^ ^ or t ^ x can be replaced by false and true 
respectively. Furthermore, by construction x only appears at the root level in the arithmetic terms. Thus 
we can safely assume that x does not occur in the arithmetic part of the Z-clause in Sb' ■ This implies that 
the inequations x ^ ^ II — > for t G G are useless and can be removed. Note that the resulting set does not 
depend on G. 

6 Completeness of the combined instantiation schemes 

The aim of this section is to determine sufficient conditions guaranteeing that once the integer variables have 
been instantiated, another instantiation scheme can be applied to get rid of the remaining variables in the 
set of clauses under consideration. 

Let C denote a class of clause sets admitting an instantiation scheme, i.e., a function 7 that maps every 
clause set S* G C to a finite set of ground instances of clauses in S, such that S is satisfiable if and only if 
7(5') is satisfiable. If 7(5") is finite, this implies that the satisfiability problem is decidable for C. For every 
clause C in a set S' G C, we denote by 7^ the set of ground substitutions a such that Ca G 7(5"). Thus, by 
definition, 7(5*) = {Cjg | C G 5}. Since 7 is generic, we do not assume that it preserves Z-satisfiability. In 
order to apply it in our setting, we need to make additional assumptions on the instantiation scheme under 
consideration. 

Definition 36 A term t is independent from a set of clauses S if for every non-variable term s occurring in 
S, if t and s are unifiable, then t = s. An instantiation scheme 7 is admissible if: 

1. It is is monotonic, i.e. S C S' ^ 7(6') C 7(5'). 

2. If S* is a set of clauses and t, s arc two terms independent from S then 'y{SU{t ~ s}) — 7(5) U {i ~ s}.0 

The first requirement is fairly intuitive, and is fulfilled by every instantiation procedure of our knowledge. 
The second one states that adding equalities between particular terms should not influence the instantiation 
scheme. This requirement is actually quite strong, as evidenced by the following example. 



• C<B. 
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Example 37 Let S — {p{a,x),-'p(b,c)}. Since p(a,x) and c) are not unifiable, an instantiation scheme 
may not instantiate variable x at all. However, by adding the unit clause a ~ & to this set, the instantiation 
scheme should instantiate x with constant c. A 



Generic instantiation schemes such as those in J6j \T7\ [12] do not satisfy the second requirement. However, 
it is fulfilled by the one of [ll . 

From now on, we assume that 7 denotes an admissible instantiation scheme. We show how to extend 7 to 
sets of Z-closed Z-clauses. Such Z-clauses are obtained as the output of the scheme devised in the previous 
section. 

Definition 38 A set of clauses S ~ {A.; || | i £ where A^ is a sequence of ground arithmetic atoms 

and C.j is a clause is ^-compatible if S' = {Ci, . . . , C„} G C. In this case, 7(5') denotes the set of ground 
Z-clauses {A,, || Cas' I * 6 [l.-n]}. 

Theorem 39 Let S — {A^ \\Ci \ i G [1..?^-]} denote a j -compatible set ofL-clauses, where Ki is a sequence of 
ground arithmetic atoms and Ci is a clause. Let x denote a constant not occurring in the arithmetic part of 
the clauses in S or in the scope of a function of range Z in S , and consider a set G of ground integer terms 
such that X occurs in no term in G. 

Then S U Utecix ^ ^ II ^-satisfiable if and only if ^{S) is "L-satisfiable. 

Proof. We denote by 8 the set of ground integer terms in S that do not contain x, and by Tz{S) the set 
of integer terms t such that t occurs in S as an argument of a function whose range is distinct from Z. By 
construction, Tz{S) C 8. 

If S is Z-satisfiable then it is clear that 7(5) is Z-satisfiable. Now, assume that 7(5*) admits a Z-model, 
which we denote by /. Let S' (resp. S'^) be the set of clauses C such that S (resp. 7(5*)) contains a clause 
of the form A || C, where / |= A. By Condition [T] on instantiation scheme 7, 7(5') C 7({Ci, . . . , C„}), hence 
7(5') C S!y. We define the set of equations 

E - {tc^s\t,seTziS),Lit)^L{s)}. 

Since the terms in Tz{S) are all ground, every term in Tz{S) is independent from S thus by Condition [21 
7(5") U E — 7(5" U E). Furthermore, since / is a model of S'^ U E, necessarily, 7(5' U E) is satisfiable; and 
since we assumed that the instantiation scheme 7 is refutationally complete, so is S' U E. Let J denote a 
model of S' U E. This interpretation is not necessarily a Z-interpretation, and we show how to construct a 
Z-interpretation K on the same domain as J for all sorts other than Z, such that K satisfies S. 

Given a function / with profile si x . . . x s, is defined as follows. If / = x then K{x) is an 

integer strictly greater than every integer /(i), where t e G U Tz{S). li s — 1 and / / x then f^ = 
Finally, if s ^ Z then for every tuple (di, . . . , dk) in the domain of K, f^ {di, . . . , dk) ~ f'^{d'i, . . . , d'j.) where 
for every i G [l..k]: 

• if Si ^ Z then d'^ = di] 

. ifd, -i^(x) thend^ = J(x); 

• if di = L{t) for some term t g Tz{S) then d[ = J{t) [t is chosen arbitrarily); 

• d[ is chosen arbitrarily otherwise. 

By definition oi K , K ^ Atec ~'(^ — furthermore, the interpretations of the integer terms in 8, which 
do not contain x, coincide on K and /. We prove that K \= S. 

Let i G [l..ri]. If / ^ A^ then i^T ^ A^ (since A^ only contains integer terms in 8 and / and K agree 
on such terms), thus K ^ A^ || C^. We now assume that /, ^ A^, so that Ci £ S' . Let be a ground 
substitution of domain V{Ci), we show that K ^ Cicr. 

By definition of J, J ^ Cicr, and Cicr contains no arithmetic atom. Thus it suffices to prove that for every 
noninteger term t occurring in Cicr, we have K{t) — J{t). The proof is by induction on t. Let t = f{ti, . . . , tk), 
by definition K{f{ti, . . . , t„)) = /^(X(ti), . . . , if (t„)) = f-^{d[, 4) where: 

• if ti is not of sort Z then d'^ = K{ti). By induction hypothesis, K{ti) = J{ti). 
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• if ti is of sort Z and K{ti) ^ K{x) then ti must occur in Ti{S) thus K{ti) — I{ti). In this case, 
d'^ = J{t) where t is some term in Tz{S) such that K{ti) = I{t). Since I ^ {t ~ ti) and G Tz{S) 
we have (i c:^ U) e E hence J(t) = J(t,). Thus K{U) = J(t,). 

• If K{ti) = K{x) then = J{x)- Since S' contains no integer variable, every ground integer term in 
f{ti, . . . , tn) must already occur in S. Thus must occur in S and by definition of K(x) "we must have 
ti — X, hence (![ — J(ti). 

Thus, /^(if(ti),...,X(i„)) = /^(J(ii),..., J(t„)) and . . . , i„)) = J(/(ti, . . . , i„)). This implies 

that J{t) = K(t) for every noninteger term t occurring in CjCr. Since J \= Cia, we also have K \= C^fj, which 
proves that S U AteG ^(x ^ is also satisfiable. ■ 

Summary. 

To summarize, starting from a set of Z-clauses S: 

1. The scheme devised in Section [S] is applied to instantiate all integer variables occurring in S. We obtain 
a Z-closed set of Z-clauses 5'. 

2. 5' is processed to get rid of all clauses containing arithmetic atoms of the form x r< i, and to get rid of 
all atoms of the form t ^ x in the remaining clauses. We obtain a set of Z-clauses S". 

3. Then we apply an admissible instantiation scheme (e.g., IllJ) 7 on the clausal part of the Z-clauses in 
S" to instantiate all remaining variables. We obtain a set of closed Z-clauses Sg. 

4. Finally we feed an SMT-solver (that handles linear arithmetic) with Sg. 

The previous results ensure that S and Sg are equisatisfiable, provided S" is compatible with 7. This 
means that the procedure can be applied to test the satisfiability of an SMT problem on the combination 
of linear arithmetic with, e.g., any of the theories that the scheme of jllj is capable of handling, which 
include the theories of arrays, records, or lists. Note that an efficient implementation of this scheme would 
not instantiate variables by x in clauses or literals that are afterwards deleted, but would directly apply the 
simplification. 

Note also that simple optimizations can further be applied to reduce the size of the instantiation set. For 
example, given a set of clauses 5', there is no need to keep in the instantiation set Bs two distinct terms t 
and s such that S \=z t — s. Thus, it is useless to store in Bs a constant a and a term p(s(a)); if S contains a 
unit clause t c^i a, there is no need for Bg to contain both t and a. Another rather obvious improvement is to 
use several distinct sorts interpreted as integers. Then the arithmetic variables need only to be instantiated 
by terms of the same sort. Our results extend straightforwardly to such settings, but we chose not to directly 
include these optimizations in our proofs for the sake of readability. 

7 Applications 

We now show two applications of our technique to solve satisfiability problems involving integers. 
Arrays with integer indices. 

The theory of arrays with integer indices is axiomatized by the following set of clauses, denoted by Az- 

11^ select(store(x, 2;, w), z) ~ v (oi) 
w :< p{z) II —S> select(store(a;, z, w), w) ~ select{x,w) (02) 
s{z) :< w II — )■ select(store(a;, z, w), w) ~ select(a;, w) (03) 

Instead of clauses (02) and (03), the standard axiomatization of the theory of arrays contains w 9^ z || 
select(store(x, z, v),w) ~ select(x, w). In order to be able to apply our scheme, we replaced atom w ^ z 
by the disjunction w ^ p(z) V s(z) ^ w, which is equivalent in Z.The standard axiomatization of the theory 
of arrays is saturated for the superposition calculus (see, e.g., ^), and a similar result holds for the new 
axiomatization: 

Proposition 40 Az is saturated in %. 
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Proof. Any inference between the axioms generates a clause that can be deleted by the tautology deletion 
rule. ■ 

We consider SMT problems on arrays with integer indices of a particular kind: 

Definition 41 An Az-inequality problem is a set of Z-clauses Az U where: 

• the only variables occurring in So are integer variables, 

• all non-ground arithmetic atoms occurring in that are not abstraction literals are of the form x 
or t ^ X, where t is either a variable or a ground term, 

• every variable occurring in a term in C G Sq whose head symbol is store must occur in a grounding 
abstraction literal in C. 

Intuitively, these conditions impose that in the corresponding set of clauses without any integer term 
abstracted out, the only non-ground arithmetic atoms are of the form x ^ t or t ^ x, and every term 
occurring in S whose head symbol is store must be ground. 

Definition 42 Consider a Z-clause C = A || F — > A. 

• C is an array property clause if it only contains integer variables, F — > A contains no occurrence of the 
store symbol, and every occurrence of the select symbol admits a constant as a first argument. 

• C is an array write clause if it is of the form 

A',u~i II r', store(a, u, e) ~ 6 A, 

where a,e,b and all terms in F, A are flat and ground. 

It is simple to verify that every ^z-inequality problem can be reduced by the flattening operation to an 
equisatisfiable set of clauses of the form Az^ SpU Sw, where: 

• The clauses in Sp are array property clauses. Intuitively, the clauses in these set are used to define 
properties on the arrays under consideration. 

• The clauses in are array write clauses. Intuitively, the clauses in these set represent the write 
operations on the arrays under consideration. 

Proposition 43 The following results hold: 

1. An inference between an array property clause and an array write clause has an empty mgu, and it 
generates an array write clause. 

2. There are no possible inferences between an array property clause and an axiom in Az- 

3. An inference between an array write clause and an axiom in Az generates an array property clause. 
Proof. 1. An array write clause is of the form 

A, M ~ i II F, store(a, u, e) ~ 5 — > A, 

where every term in F, A is flat and ground. Since there can be no occurrence of store or of a literal 
a; ~ f in the array property clause, its maximal literal must be an equation between constants. Hence 
the mgu of the two unified terms is empty and the generated clause is an array write clause. 

2. Since array property clauses do not contain any occurrence of store and no superposition into a 
variable is permitted, an inference between an array property clause and an ax;iom in Az must unify 
terms with select as a head symbol. But in this case, the unified term in the axiom must be a 
select(store(.T, z, v),w), where w may be equal to z, and since the unified term in the array property 
clause must be of the form select(a,u, where a is a constant, these terms cannot be unifiable. 
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3. The only term on which the superposition rule can apply in an array write clause is of the form 
store(a, u, e) (recall that constant symbols are strictly smaller than complex terms and that no equation 
on integer variables is allowed in the clauses). Since contains no occurrence of store at the root 
level, the rule must apply from the array write clause into Az- Thus it replaces a term store(a::, z, w) 
occurring in the axiom by b, which implies that the first argument of select is a constant. Furthermore, 
X and V are instantiated by constants by unification, thus the obtained clause contains no variable except 
for the integer variables z,w. m 



Proposition 44 Let Z? = A, w ~ i || F, store{a, w, e) ~ 6 — > A denote an array write clause generated from 
Sp U Then contains an array write clause of the form A', u ~ i || F', store{a' , u, e') ~ &' — A'. 

Proof. The result is a direct consequence of Proposition |43] ([T]), and is proved by induction on the length 
of the derivation generating D. m 

For every ^z-inequality problem S, we define the following set of ground terms, which will be used throughout 
this section: 

— {t ground I x ^ t or select(a,t) occurs in S} 

U {t' ground | store(a, u,e) ^ b and u t' occur in a same clause in S} 
U {p(t') ground | store(a, u, e) c:i b,u t' occur in a same clause in S} 

Proposition 45 For every clause C in SpU S^, C is preconstrained and C < -65. 

Note that the clauses in Az are not preconstrained. 

Lemma 46 Every non-redundant clause C generated from Az U Sp U Sw other than the clauses in Az is 
preconstrained and such that C < Bs- 

Proof. The property holds for the clauses in SpU Sw We prove the result by induction on the length of 
the derivation, and prove at the same time that C is either an array property clause or an array write clause; 
this is trivially true if C G S'p U Sw Assume C is generated by a derivation of length 1, i.e., by an inference 
on D,D'; these clause are not necessarily distinct. We perform a case analysis on the properties D and D' 
satisfy: 

D and D' are ELxioms in Az- In this case, C is redundant by Proposition l40l 

D is an array property clause and D' G Az- By Proposition [43l this case is not possible. 

D is an array write clause and D' G Az- Then D is a clause of the form A, u ~ i || F — > store(a, u, e) ~ 
b, A, where a term store(a', i, e') occurs in S^ by Proposition l44l By Proposition |43] (jS}, C is an array 
property clause. Assume D' = (02), the other cases are similar. Then 

C = w ^ p(u), u ~ i, A II — > select(6, w) ~ select(a, w), 

C is therefore an array property clause such that C < Bs, and it is preconstrained. 

D and D' are in SpU Sw In this case, C < Bs by Lemma C is preconstrained by Lemma [551 and it is 
either an array property clause, or an array write clause by Proposition 1431 ■ 

By Theorem 1351 if we consider the set B'g obtained from Bs by adding a constant x not occurring in S, 
then S and Sb'^ U UteBgix ^ ^ II ^} a-re equisatisfiable. We restate this result using substitutions instead 
of abstraction atoms: 

Lemma 47 Let B'g = Bs U {x}? ^ denote the set of inequality variables occurring in clauses in S , and 
let J7 denote the set of all substitutions of domain V and codomain B'g. Then Az U 5*0 and {Az U S^)^ are 
equisatisfiable. 
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Since we assumed all integer variables in S are either abstraction variables or inequality variables (by 
otherwise adding a: ^ a; to the necessary clauses), we conclude that the clauses in SqD, are all ground, and 
the clauses in are of the form: 

II select(store(a;, z, w), z) ~ v 
s ^ p{z) II select(store(a;, z, u), s) ~ select(a;, s) 
s(z) ^ s II select(store(a;, 2, u), s) ~ select(a;, s), 

where s is a ground term. This set of terms can be instantiated using the scheme of [IT]. Thus, if il' denotes 
the set of substitutions constructed by the instantiation scheme, by Theorem [39l the sets S and Silil' are 
equisatisfiable. The latter is ground, and its satisfiability can be tested by any SMT solver capable of handling 
linear arithmetic and congruence closure. 

We would like to emphasize that similar theories can be handled in the same way, for instance the theory 
of lists, records, etc. Furthermore, other axioms can be added in the theory of arrays to express additional 
properties, such as sortedness (see [TT] for details). 

An example. 

Consider the following sets: 

E = {h ^ Xi ^ Ui II — > select(a, Xi) ~ | i = 1, . . . , n}, 

F = {u,^x^{l,) II ^ |^ = l,...,n}, 

G = {u, ^ p(Zi+i) II ^ I i = 1, . . . ,n - 1}, 

where the u^'s and /j 's are constants. The Z-clauses in E state that array a is constant between bounds U 
and Mi, for i = 1, . . . , n; the Z-clauses in F state that each interval has at least 1 element, and the Z-clauses 
in G state that all the intervals have a nonempty intersection. Thus, the union of these sets entails that a is 
constant between bounds li and m„. Let 6 denote the array obtained from a by writing element ei at position 
If M„+i — s{un), then b is constant between bounds h and s(u„). Let 

H = {a;~u„+i|| — > 6 ~ store(a, a;, ei), || — >■ u' ~ s(u„)} 

u {fc^p(;i) II ^ ,w„ ^p(fc) II ^ } 

U {II select{b,k) ~ ei — >} and 

So = EUFUGUH, 

then Az U 5*0 is unsatisfiable. By applying the definition of Bs from the previous section, we obtain Bs — 
{ui, . . . ,Un,Un+i,p{un+±),k}. In the first step, all variables in E are instantiated with the elements of 
B'g = Bs U {x}, yielding^! a ground set E'. The inequality variables in the axioms of Az are also instantiated 
with the elements of B'g, yielding a set of clauses A. Then, in the second step, the clauses in A are instantiated 
using the term store(a, m„-)_i, ei), and we obtain a set A' containing clauses of the form 

X Un+i II select(store(a, x, ei), x) ~ ei, 
a: ~ M„+i, s ^ p(a;) || select(store(a, a;, ei), s) ~ select(a, s), 
a; ~ s(a::) ^ s || select(store(a, x, ei), s) ~ select(a,s), 

where s € B'g. Then an SMT solver is invoked on the ground set of clauses A'ljE'ljFljGUH. The size of 
this set is to be compared with the one obtained by the procedure of [lOj . clauses are instantiated using an 
index set 

I = {/i,Ui I i = 1, . . . ,n} U {m„+i,p(u„+i),s(u„+i),s(u„), fc}. 

There are twice as many terms in this instantiation set. It is simple to check that our procedure always 
generates less instances than the one of [10]. In fact, there are cases in which our method is exponentially 
better. The simplest example is the following: for z = 1, . . . , n, let denote the atom select(a, a;^) ~ c;, 
and let S = As, U Sq, where 

So = {a < a;i, . . . ,a < a;„, 6 < y II Ai, . . . , A„ ^ select(t, y) ~ 6}. 

With this set, our instantiation scheme generates only a unique clause, whereas the one in [lOj instantiates 
every Xi with i and j, yielding 2" clauses. 

^in an actual implementation, the variables in E would not be instantiated with x- 
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Stratified classes. 

To show the wide range of applicability of our results, we provide another example of a domain where they 
can be applied. The results in this section concern decidable subclasses of first-order logic with sorts, which 
are investigated in pi. We briefly review some definitions. 

Definition 48 A set of function symbols S is stratified if there exists a function level mapping every sort 
s to a natural number such that for every function symbol / G S of profile si x . . . s„ —> s and for every 
i G [l.-n], levcl(s) > level(si). We denote by Ts (resp. T£) the set of ground terms built on the set of 
function symbols S (resp. the set of terms of sort s built on E). {> 

Proposition 49 Let Y, be a finite stratified set of Junction symbols. Then the set Ts is finite. 

Proof. We show, by induction on the terms, that the depth of a term in is bounded by level(s). This 
obviously implies that the number of terms in is finite. 

Let t be a ground term of depth d. t is of the form /(ti, . . . , i„) where / is a function symbol of profile 
si X . . . X s„ — >■ s and ti,...,tn are terms of sorts si, . . . , s„ respectively. By the induction hypothesis, 
the depth of ti, . . . , t„ is bounded by level(si), . . . , level(s„) respectively. Thus the depth of t is bounded 
by 1 + maxj£[x..n] (l6vel(sj)). Since the signature is stratified, we have Vi G [l..n], level(s) > level(sj) thus 
level(s) > 1 + maxj£[x..n] (l6vel(si)) > d. m 

A set of clauses is in Sto if its signature is stratified. In particular, any formula in the Bernays-Schonfinkel 
class is in Sto. By Proposition 1491 admits a trivial instantiation scheme: it suffices to replace each 
variable by every ground term of the same sort, defined on the set of function symbols occurring in St^ 
This instantiation scheme is obviously admissible (see Definition [36)) . 

This instantiation scheme can be applied also to the class St2 defined in T| as an extension of the class 
StQ with atoms of the form t £ Im[/], where / is a function symbol of profile si x . . . x s„ — s, meaning 
that t is in the image of the function /. From a semantic point of view, the atom t G Im[/] is a shorthand 
for 3xi, . . . , Xn.t ~ /{xi, . . . , Xn). To ensure decidability, for every atom of the form t G Im[/] and for every 
function symbol g of the same range as /, the following properties have to be satisfied: 

1. g must have the same profile as /. 

2. The formula f{xi, . . . , Xn) — g{yi, ■ ■ ■ , Vn) ^ Ki=i — Vii where n denotes the arity of / and g, must 
hold in every model of the considered formula. 

In [1] it is shown that every satisfiable set in 5*^2 admits a finite model, hence, 5*^2 is decidable. We show 
that any formula in St^ can be reduced to a clause set in Sto, thus reducing satisfiability problems in St2 to 
satisfiability problems in 5^0. We begin by showing that if t is a complex term in an atom t G Im[/], then 
under certain conditions which will be satisfied for the elements in St2, the atom can safely be replaced by 
an equality atom. 

Proposition 50 Consider an atom g{ti, . . . ,tn) G Im[f], and assume that g has the same profile as f. 
Consider also an interpretation I such that I \= /(xi, . . . , x„) ~ g{yi, . . . ,yn) A'i=i^i — Hi- Then 
I ^ 5(ti, . . . ,t„) G Im[f] if and only if I ^ g{ti, . . . ,t„) ~ f[ti, . . .,<„). 

Proof. First note that /(ti, . . . , i„) is a well-formed term, since / and g have the same profile by hypothesis. 
Furthermore, it is obvious that g{ti, . . . ,tn) ~ |= g{ti, . . . ,tn) G Im[/]. Now, assume that 

/ 1= 5(ti, . . . , tn) G Im[/]. Then there exists an extension /' of / to xi, . . . , x„ such that /' \= g{ti, . . . , i„) ~ 
/(xi, . . . ,x„). But then since / |= /(xi, . . . ,x„) ~ g(yi, . . . , ?/„) ALi - ^'^ deduce that /' |= ~ Xi, 
for aU i G [l..n]. Thus /' |= g{ti, . . . ,t„) ~ J{ti, . . . ,i„), and / \= g{ti,. . . ,t„) ~ /(ii, . . . ,i„) since / and /' 
coincide on the terms not containing xi, . . . , Xn- ■ 

In order to get rid of atoms of the form t G Im[/], we prove that in the case where i is a variable, we may 
assume t is interpreted as a ground term in Ts. 

^possibly enriched with some constant symbols in order to ensure that each sort is nonempty. 
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Lemma 51 Let S denote a clause set in St2 built on a stratified set of symbols S such that is nonempty 
for every s £ S. Let S denote a clause set in St2. If an interpretation I is a model of S, then the restriction 
of I to the domains I(T^) is also a model of S . 

Proof. Let / denote a model of 5, and let J be the restriction of I to the domains I{T-^), for every sort 
s € S. It is clear that J is an interpretation and, by definition, for all / S E, /"^ is a total function. Still by 
definition, / and J coincide on every term in T^. Let a denote a grounding substitution and let A denote 
an atom built on the symbols in E. If A is of the form i ~ s then we have I{ta) = J{t<j) and I{sa) = J{sa) 
by construction, thus, I \= {t ^ s)a if and only if J ^ (i ~ s)a. Thus ground equational atoms have the 
same truth values in / and in J. This implies that the purely equational clauses have the same truth values 
in / and in J, and in particular, we deduce that J 1= f{xi, . . . , ~ g{yi, . . . , y„) A"=i — Vi^ every 
function symbol / occurring in a term Im[/] and for every function symbol g with the same range as /. 

If A is of the form t £ Im[/], then by definition ta is of the form g{ti, . . . ,tn) for some function symbol 
with the same range as /. By Proposition ISO) ta S Im[/] has the same truth value in / and in J as 
ta ~ /(ii, . • . , tn). Since ta ~ f{ti, . . . , tn) is a ground equational atom, it has the same truth value in / and 
in J. Thus I ^ ta £ Ini[/] if and only \i J ^ ta £ Im[/]. We deduce that for all grounding substitutions u, 
Aa has the same truth value in / and in J, and since I \= S, we conclude that J \= S. u 

Proposition [30] and Lemma [5T] permit to reduce a satisfiability problem in St2 to a satisfiability problem 
in S'io, by getting rid of all occurrences of atoms of the form t G Ini[/]. This is done by getting rid of 
all occurrences of atoms of the form t G Im[/]. One such transformation is obvious: by definition, every 
occurrence of the form t ^ Im[/] can be replaced by i 9^ f{xi, ■ ■ ■ , Xn), where the Xi are fresh variables. We 
now focus on the other occurrences of the atoms. 

Definition 52 Let S denote a set of clauses. We denote by S' the set of clauses obtained from S by applying 
the following transformation rule (using a "don't care" nondeterministic strategy): 

F^A, a; e Im[/] {x ~ g{xi, . . . ,a;„),r \ g{xi, . . . ,a;„) £ Im[/] | g e E/} 
where x is a variable, / is of arity n, 'Sf denotes the set of function symbols with the same profile as / and 

fresh variables that are pairwise distinct. We denote by S^q the set of clauses obtained from 
S" by applying the following transformation rule: g{xi, . . . , Xn) G Ini[/] ^ g{xi, . . . , Xn) — f{xi, . . . , a;„). 

The first rule gets rids of atoms of the form x G Im[/] by replacing them with atoms of the form t G Im[/] 
where i is a complex term, and the second rule gets rid of these atoms. It is obvious that these rules 
terminate: the first one decreases the number of atoms of the form x G Im[/] where a; is a variable, and the 
second one decreases the number of occurrences of Im[/]. Obviously, the normal forms cannot contain atoms 
of the form t G Im[/] thus they must be in St^. The rules preserve satisfiability: Proposition [5(71 ensures 
that the second rule preserves equivalence, and Lemma [51] ensures that the first one preserves satisfiability, 
since it shows that we can restrict ourselves to models in which the formula 

Va;3a;i,...,a;„. \J x g{xi, . . . ,x„) 

holds. Note that Condition 1 in the definition of St2 ensures that every function symbol of the same range 
as / is actually in E/. We therefore have the following result: 

Theorem 53 Let S G St2, then S^^qCz StQ. Furthermore, S is satisfiable if and only if S^q is satisfiable. 

In particular, these results hold when one of the sorts under consideration is Z and S contains Z-clauses: 

Corollary 54 //S* G St2 is a set of "L-clauses, then S is 1,- satisfiable if and only if S].o is "L-satisfiable. 

Tiieorem 55 Consider a set of "L- clauses S = {A.^ || Q | i G [l■.?^]} in St2 such that every Aj || Ci is pre- 
constrained, and for every occurrence of an atom t G Im[f], the range of f is not of sort Z. The set S is 
"L-satisfiable if and only ifj{S^Q Q) is "L-satisfiable, where: 

• is the set of substitutions of domain V{S) whose codomain is a set B such that A^ \\Ci < B for all 
i^l,...,n; 
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• 7 denotes an instantiation scheme for Sto satisfying the conditions of page [751 (e.g. "f{S) = Sil' where 
f2' is the set of substitutions of domain V{S) and of codomain T^). 

Proof. By Corollary[54l S and S^o are equisatisfiable in Z, and since the transformation rules of Definition 
l52l do not influence the arithmetic parts of the Z-clauses which do not contain any atom of the form t S Im[/], 
the resuhing clauses are preconstrained and upper bounded. Thus, by Theorem l35i S'J.o and S.Iq ^^[Jtesi^ — 
t II are equisatisfiable. By applying Theorem [39l we deduce that S'4,0 ^^{jtesix d: t \\ and 7(S'4.o ^) 
are equisatisfiable, hence the result. ■ 

Examples of specifications in the classes 5ib and St2 are presented in [P . Our results allow the integration 
of integer constraints into these specifications. 

8 Discussion 

In this paper we presented a way of defining an instantiation scheme for SMT problems based on a combination 
of linear arithmetic with another theory. The scheme consists in getting rid of the integer variables in 
the problem, and applying another instantiation procedure to the resulting problem. Provided the integer 
variables essentially occur in inequality constraints, this scheme is complete for the combination of linear 
arithmetic with several theories of interest to the SMT community, but also for the combination of linear 
arithmetic with other decidable theories such as the class St2 from jlj. The application of this scheme to 
the theory of arrays with integer indices shows that it can produce considerably fewer ground instances than 
other state-of-the-art procedures, such as that of [TU]. The instantiation scheme of [TT] is currently being 
implemented, and will be followed by a comparison with other tools on concrete examples from SMT-LII^. 

As far as further research is concerned, we intend to investigate how to generalize this procedure, in which 
it is imposed that functions of range Z can only have integer arguments. We intend to determine how to 
allow other functions of range Z while preserving completeness. It is shown in [TUj that considering arrays 
with integer elements, for which nested reads can be allowed, gives rise to undecidable problems, but we 
expect to define decidable subclasses, that may generalize those in |13j . Dealing with more general functions 
of range Z should also allow us to devise a new decision procedure for the class of arrays with dimension that 
is considered in JJ^ . We also intend to generalize our approach to other combinations of theories that do not 
necessarily involve linear arithmetic, by determining conditions that guarantee combinations of instantiation 
schemes can safely be employed to eliminate all variables from a formula. Another interesting line of research 
would be to avoid a systematic grounding of integer variables and to use decision procedures for non-ground 
systems of arithmetic formulae. The main difficulty is of course that with our current approach, instantiating 
integer variables is required to determine how to instantiate the remaining variables. 
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